A trivial flaw in ten-year-old video conferencing system raises questions about the manufacturer’s responsibility to patch end of life products
Managed security service provider Trustwave has today published details of a command injection vulnerability impacting a number of Lifesize video conferencing products. The impacted products are those within the 10-year-old Lifesize 220 series system range. This zero-day threat could enable a threat actor to use PHP files within the Lifesize support section, along with default passwords that are shipped with Lifesize products, to gain an initial foothold within the corporate environment where those products are located. Combining the Trustwave zero-day with a previously disclosed privilege escalation vulnerability would bring the possibility of root privileges on the Lifesize product system, along with full persistence on that device and the underlying network.